[xmlsec] XPATH and Visa 3D-secure specification
Jesse Pelton
jsp@PKC.com
Thu, 25 Sep 2003 11:06:53 -0400
I think that's the core question: does the Visa spec call for handling their
CDATA "id" attribute as if it were an ID? I don't know anything about the
spec, except that it causes this question to arise periodically
(occasionally inducing me to rant). Slava, can you point to it, or excerpt
relevant sections?
> -----Original Message-----
> From: Rich Salz [mailto:rsalz@datapower.com]
> Sent: Thursday, September 25, 2003 10:38 AM
> To: Slava Kostin
> Cc: xmlsec@aleksey.com
> Subject: Re: [xmlsec] XPATH and Visa 3D-secure specification
>
>
> Are they doing something like this?
>
> <visa:PARes id="...">
> and then later on doing
> <ds:Reference URI="#..."
> Then according to the last paragraph of section 4.3.3.2, the PARes id
> attribute *must* be an XML ID.
>
> The language is a little obscure, but if you read 4.3.3.2 and 4.3.3.3
> carefully, you will see that if dsig:Reference/@URI has a
> "#", then it
> is taken as a "barename XPointer". Which means that it can
> only refer
> to something that is a legal XML ID attribute. This is
> XPointer, not XPath.
>
> VISA is non-conformant; the visa:PARes/@id attribute MUST be
> of type ID,
> and must conform to the syntax requirements of ID's.
> /r$